# 🔐 ASCON Encryption and Decryption Implementation

[![Python](https://img.shields.io/badge/Python-3.7+-blue.svg)](https://python.org)
[![License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
[![NIST](https://img.shields.io/badge/NIST-Lightweight%20Cryptography-red.svg)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-232.pdf)

A complete Python implementation of the **ASCON** lightweight cryptographic algorithm, featuring both encryption and decryption capabilities with authenticated encryption (AEAD).

## 🌟 Overview

ASCON is a family of lightweight authenticated encryption and hashing algorithms, selected as the winner of the NIST Lightweight Cryptography competition. This implementation provides:

- 🛡️ **Authenticated Encryption with Associated Data (AEAD)**
- 🔑 **128-bit Key Support** (ASCON-128)
- 🚀 **Efficient Permutation-based Design**
- ✅ **Built-in Authentication and Confidentiality**

## 📚 Reference

This implementation is based on the official NIST specification:
> **NIST Special Publication 800-232**: [Lightweight Cryptography Standards](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-232.pdf)

## 🔧 Features

### Core Components
- **ASCON Permutation**: 320-bit state with configurable rounds (8/12)
- **S-box Layer**: Non-linear transformation using 5-bit S-boxes
- **Linear Diffusion**: Rotation-based mixing for each 64-bit word
- **Round Constants**: Unique constants for each permutation round

### Cryptographic Operations
- 🔐 **Encryption**: `Encrypt_ASCON_AED128(K, N, A, P)`
- 🔓 **Decryption**: `Decrypt_Ascon(K, N, A, C, T)`
- 🏷️ **Tag Generation**: 128-bit authentication tag
- 📝 **Associated Data**: Support for additional authenticated data

## 🚀 Quick Start

### Basic Usage

```python
# Example encryption and decryption
key = "$*@#fg4f~e87(5Q$"  # 16-byte key
nonce = "$*@#fg4f~e87(5Q$"  # 16-byte nonce
associated_data = "FGDD" * 12 + "t" * 5  # Associated data (optional)
plaintext = "ASCON ENCRYPTION AND DECRYPTION USING TAG"

# Encrypt
ciphertext, tag = Encrypt_ASCON_AED128(key, nonce, associated_data, plaintext)

# Decrypt
decrypted_bits = Decrypt_Ascon(key, nonce, associated_data, ciphertext, tag)
decrypted_text = binstring_to_str(decrypted_bits)

print(f"Original: {plaintext}")
print(f"Decrypted: {decrypted_text}")
print(f"✅ Success: {plaintext == decrypted_text}")
```

## 📋 Function Reference

### Core Functions

#### `Encrypt_ASCON_AED128(K, N, A, P)`
Encrypts plaintext using ASCON-128 AEAD mode.

**Parameters:**
- `K` (str): 16-byte secret key
- `N` (str): 16-byte nonce (must be unique)
- `A` (str): Associated data (can be empty)
- `P` (str): Plaintext message

**Returns:**
- `tuple`: (ciphertext_bits, authentication_tag)

#### `Decrypt_Ascon(K, N, A, C, T)`
Decrypts ciphertext and verifies authentication.

**Parameters:**
- `K` (str): 16-byte secret key
- `N` (str): 16-byte nonce
- `A` (str): Associated data
- `C` (str): Ciphertext in binary format
- `T` (str): Authentication tag in binary format

**Returns:**
- `str`: Decrypted plaintext in binary format, or "FAIL" if authentication fails

### Utility Functions

#### String Conversion
- `str_to_binstring(s)`: Convert text to binary string
- `binstring_to_str(b)`: Convert binary string to text

#### Cryptographic Primitives
- `ascon_permutation(S, rounds)`: Apply ASCON permutation
- `ascon_round(S, rnd, round_num)`: Single permutation round
- `compute_sbox_bit_slice()`: Apply S-box transformation
- `bit_xor(a, b)`: XOR operation on binary strings

## 🔒 Security Features

### Authentication
- **Tag Verification**: 128-bit authentication tag prevents tampering
- **Associated Data**: Additional data authenticated but not encrypted
- **Nonce Requirements**: Unique nonce required for each encryption

### Confidentiality
- **Stream Cipher Mode**: Plaintext XORed with keystream
- **Permutation-based**: Strong diffusion through multiple rounds
- **Key-dependent**: All operations depend on the secret key

## 🧪 Testing

The implementation includes comprehensive testing:

```python
# Run 10,000 random tests
run_ascon_tests(10000)
# Output: Total Passed: 10000/10000 ✅
```

### Test Coverage
- ✅ **Random Key/Nonce Generation**
- ✅ **Variable Length Messages**
- ✅ **Associated Data Handling**
- ✅ **Encryption/Decryption Roundtrip**
- ✅ **Authentication Verification**

## 📐 Algorithm Specifications

### ASCON-128 Parameters
- **Key Size**: 128 bits (16 bytes)
- **Nonce Size**: 128 bits (16 bytes)
- **Tag Size**: 128 bits (16 bytes)
- **State Size**: 320 bits (5 × 64-bit words)
- **Rounds**: 12 (initialization), 8 (processing)

### Permutation Details
- **S-box**: 5-bit to 5-bit substitution
- **Linear Layer**: Word-wise rotation and XOR
- **Round Constants**: 16 predefined constants
- **Block Size**: 128 bits for rate (encryption/decryption)

## 🔄 Algorithm Flow

### Encryption Process
1. **Initialize**: IV || Key || Nonce → 12 rounds
2. **Process AD**: Associated data absorption
3. **Domain Separation**: XOR with constant
4. **Encrypt**: Plaintext blocks with keystream
5. **Finalize**: Generate authentication tag

### Decryption Process
1. **Initialize**: Same as encryption
2. **Process AD**: Same associated data
3. **Decrypt**: Ciphertext blocks with keystream
4. **Verify**: Compare computed vs received tag
5. **Output**: Plaintext or authentication failure

## ⚠️ Security Considerations

### Best Practices
- 🚫 **Never reuse nonces** with the same key
- 🔐 **Use cryptographically secure random nonces**
- 🗝️ **Protect secret keys** from unauthorized access
- ✅ **Always verify authentication tags** before using plaintext

### Advantages
- 💪 **Lightweight**: Suitable for constrained devices
- ⚡ **Fast**: Efficient permutation-based design
- 🛡️ **Secure**: NIST-approved algorithm
- 🔧 **Flexible**: Configurable for different use cases

### Use Cases
- 🌐 **IoT Devices**: Resource-constrained environments
- 📱 **Mobile Applications**: Battery-efficient encryption
- 🔗 **Embedded Systems**: Small footprint requirements
- 🚗 **Automotive**: Real-time cryptographic needs

## 🙏 Acknowledgments

- **NIST Lightweight Cryptography Competition**
- **ASCON Team**: Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer
- **Academic Community**: For cryptographic research and standardization

---

*For detailed algorithm specifications, please refer to the [NIST SP 800-232](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-232.pdf) document.* 📖

In [None]:
def str_to_binstring(s: str) -> str:
    """Convert a text string into a binary string"""
    return "".join(f"{ord(c):08b}" for c in s)
    
def binstring_to_str(b: str) -> str:
    """Convert a binary string back to the original text string."""
    if len(b) % 8 != 0:
        raise ValueError("Invalid binary string length: must be a multiple of 8")
    return "".join(chr(int(b[i:i+8], 2)) for i in range(0, len(b), 8))

In [None]:
def parse(X, r):
    l = len(X) / r
    x = ["0"] * (int(l) + 1)
    for i in range(int(l)):
        x[i] = X[i * r : ((i + 1) * (r))]
    x[int(l)] = X[int(l) * r : len(X)]
    return x


def pad(X, r):
    """pads according to ascon hash"""
    j = (-len(X) - 1) % r
    return X + "1" + "0" * j


def bit_xor(a: str, b: str) -> str:
    """XOR two bit strings of equal length"""
    # if len(a) != len(b):
    # raise ValueError(f"Bit string lengths don't match: {len(a)} vs {len(b)}")
    return "".join("1" if x != y else "0" for x, y in zip(a, b))


def bit_and(a: str, b: str) -> str:
    """AND two bit strings"""
    return "".join("1" if x == "1" and y == "1" else "0" for x, y in zip(a, b))


def right_rotation(X: str, i: int) -> str:
    """Right rotation by i bits of a 64-bit word X"""
    X = X.zfill(64)
    i %= 64
    return X[-i:] + X[:-i] if i > 0 else X


def compute_sbox_bit_slice(x0, x1, x2, x3, x4):
    # Apply S-box bit by bit
    result = [[], [], [], [], []]
    for i in range(64):
        # Extract bits at position i
        bits = [int(x0[i]), int(x1[i]), int(x2[i]), int(x3[i]), int(x4[i])]
        y0 = str(
            (bits[4] & bits[1])
            ^ bits[3]
            ^ (bits[2] & bits[1])
            ^ bits[2]
            ^ (bits[1] & bits[0])
            ^ bits[1]
            ^ bits[0]
        )
        y1 = str(
            bits[4]
            ^ (bits[3] & bits[2])
            ^ (bits[3] & bits[1])
            ^ bits[3]
            ^ (bits[2] & bits[1])
            ^ bits[2]
            ^ bits[1]
            ^ bits[0]
        )
        y2 = str((bits[4] & bits[3]) ^ bits[4] ^ bits[2] ^ bits[1] ^ 1)
        y3 = str(
            (bits[4] & bits[0])
            ^ bits[4]
            ^ (bits[3] & bits[0])
            ^ bits[3]
            ^ bits[2]
            ^ bits[1]
            ^ bits[0]
        )
        y4 = str(
            (bits[4] & bits[1]) ^ bits[4] ^ bits[3] ^ (bits[1] & bits[0]) ^ bits[1]
        )

        result[0].append(y0)
        result[1].append(y1)
        result[2].append(y2)
        result[3].append(y3)
        result[4].append(y4)

    return ["".join(result[i]) for i in range(5)]

In [None]:
const_i = [
    0x000000000000003c, 0x000000000000002d, 0x000000000000001e, 0x000000000000000f,
    0x00000000000000f0, 0x00000000000000e1, 0x00000000000000d2, 0x00000000000000c3,
    0x00000000000000b4, 0x00000000000000a5, 0x0000000000000096, 0x0000000000000087,
    0x0000000000000078, 0x0000000000000069, 0x000000000000005a, 0x000000000000004b
]
def pho_c(S, rnd, round_num):
    """Add round constant to S2"""
    words = [S[i*64:(i+1)*64] for i in range(5)]
    const_idx = 16 - rnd + round_num
    const_bits = bin(const_i[const_idx])[2:].zfill(64)
    words[2] = bit_xor(words[2], const_bits)
    return ''.join(words)


def pho_s(S):
    """Apply S-box layer"""
    words = [S[i*64:(i+1)*64] for i in range(5)]
    words = compute_sbox_bit_slice(*words)
    return ''.join(words)


def pho_l(S):
    """Apply linear diffusion layer"""
    words = [S[i*64:(i+1)*64] for i in range(5)]

    words[0] = bit_xor(words[0], bit_xor(
        right_rotation(words[0], 19), right_rotation(words[0], 28)))
    words[1] = bit_xor(words[1], bit_xor(
        right_rotation(words[1], 61), right_rotation(words[1], 39)))
    words[2] = bit_xor(words[2], bit_xor(
        right_rotation(words[2], 1), right_rotation(words[2], 6)))
    words[3] = bit_xor(words[3], bit_xor(
        right_rotation(words[3], 10), right_rotation(words[3], 17)))
    words[4] = bit_xor(words[4], bit_xor(
        right_rotation(words[4], 7), right_rotation(words[4], 41)))

    return ''.join(words)


def ascon_round(S, rnd, round_num):
    """One round = AddConst -> S-box -> Linear"""
    S = pho_c(S, rnd, round_num)
    S = pho_s(S)
    S = pho_l(S)
    return S

def ascon_permutation(S, rounds):
    """Full Ascon permutation"""
    S = S.zfill(320)
    for round_num in range(rounds):
        S = ascon_round(S, rounds, round_num)
    return S

In [None]:
const_IV = '0000000000000000000100000000000010000000100011000000000000000001'
msg = "$*@#fg4f~e87(5Q$"
associated_data = "FGDD" * 12 + "t"*5
plaintext = "PLAIN" * 13 + "p"*4

16


In [None]:
def Encrypt_ASCON_AED128(K, N, A, P):
    key_bit = str_to_binstring(K)
    nonce_bit = str_to_binstring(N)
    associated_bit = str_to_binstring(A)
    plain_bit = str_to_binstring(P)
    S = const_IV + key_bit + nonce_bit
    S = ascon_permutation(S, 12)
    S = bit_xor(S, "0" * 192 + key_bit)
    a = ""
    if len(A) > 0:
        a = parse(associated_bit, 128)
        a[len(a) - 1] = pad(a[len(a) - 1], 128)
        for i in range(len(a)):
            S = ascon_permutation(bit_xor(S[0:128], a[i]) + S[128:], 8)
    S = bit_xor(S, "0" * 319 + "1")
    p = parse(plain_bit, 128)
    l = len(p[len(p) - 1])
    C = ["0"] * len(p)
    for i in range(len(p) - 1):
        new_prefix = bit_xor(S[0:128], p[i])
        C[i] = new_prefix
        S = new_prefix + S[128:]
        S = ascon_permutation(S, 8)
    prefix = bit_xor(S[0:128], pad(p[len(p) - 1], 128))
    S = prefix + S[128:]
    C[len(p) - 1] = S[0:l]
    Cipher = ""
    for i in range(len(C)):
        Cipher += C[i]
    S = ascon_permutation(bit_xor(S, "0" * 128 + key_bit + "0" * 64), 12)
    T = ""
    T = bit_xor(S[192:320], key_bit)
    return Cipher, T


plaintext = "ASCON ENCRYPTION AND DECRYPTION USING TAG WHICH HELPS IN AUTHENTICATION AND CONFIDENTIALITY"
Cipher, T = Encrypt_ASCON_AED128(msg, msg, associated_data, plaintext)


In [None]:
def Decrypt_Ascon(K, N, A, C, T):
    key_bit = str_to_binstring(K)
    nonce_bit = str_to_binstring(N)
    S = const_IV + key_bit + nonce_bit
    S = ascon_permutation(S, 12)
    S = bit_xor(S, "0" * 192 + key_bit)
    # print(len(S))
    if len(A) > 0:
        associated_bit = str_to_binstring(A)
        a = parse(associated_bit, 128)
        a[len(a) - 1] = pad(a[len(a) - 1], 128)
        for i in range(len(a)):
            S = ascon_permutation(bit_xor(S[0:128], a[i]) + S[128:320], 8)
    S = bit_xor(S, "0" * 319 + "1")
    c_dash = parse(C, 128)
    l = len(c_dash[len(c_dash) - 1])
    # print('l ',l)
    P = ["0"] * len(c_dash)
    for i in range(len(c_dash) - 1):
        P[i] = bit_xor(S[0:128], c_dash[i])
        S = c_dash[i] + S[128:]
        S = ascon_permutation(S, 8)
    P[len(c_dash) - 1] = bit_xor(S[0:l], c_dash[len(c_dash) - 1])
    S = S[0:l] + bit_xor(S[l:128], "1" + "0" * (127 - l)) + S[128:]
    S = c_dash[len(c_dash) - 1] + S[l:]
    S = ascon_permutation(bit_xor(S, "0" * 128 + key_bit + "0" * 64), 12)
    T_dash = bit_xor(S[192:320], key_bit)
    p_text = ""
    if T == T_dash:
        for i in range(len(P)):
            p_text += P[i]
        return p_text
    else:
        return "FAIL"
b = Decrypt_Ascon(msg, msg, associated_data, Cipher, T)
print(binstring_to_str(b))


ASCON ENCRYPTION AND DECRYPTION USING TAG WHICH HELPS IN AUTHENTICATION AND CONFIDENTIALITY


In [25]:
import random
import string

def random_string(length: int) -> str:
    """Generate a random ASCII string of given length."""
    return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(length))

def run_ascon_tests(num_tests: int = 20):
    correct = 0
    for i in range(num_tests):
        K = random_string(16)   
        N = random_string(16)   
        A = random_string(random.randint(0, 20)) 
        P = random_string(random.randint(1, 20))  
        C, T = Encrypt_ASCON_AED128(K, N, A, P)
        decrypted_bits = Decrypt_Ascon(K, N, A, C, T)
        decrypted_text = binstring_to_str(decrypted_bits)
        if decrypted_text == P:
            correct += 1
            # print(f"[✓] Test {i+1}: Passed")
        else:
            print(f"[✗] Test {i+1}: Failed")
    print(f"\nTotal Passed: {correct}/{num_tests}")

run_ascon_tests(10000)



Total Passed: 10000/10000
